add metrics & encrypt

2023-09-02 17:50:06 +02:00
parent a0cc73a7e9
commit 9a13ade068
2 changed files with 51 additions and 4 deletions
--- a/content/posts/11-a-beautiful-gitops-day-1/index.md
+++ b/content/posts/11-a-beautiful-gitops-day-1/index.md
@ -355,6 +355,28 @@ Will print the SSH config access after cluster creation.
 {{</ tab >}}
 {{</ tabs >}}

+#### ETCD and network encryption by default
+
+You may need to enable etcd and network encryption in order to preventing any data leak in case of a server is compromised. You can easily do so by adding the following variables:
+
+{{< highlight host="demo-kube-hcloud" file="kube.tf" >}}
+
+```tf
+module "hcloud_kube" {
+  //...
+
+  enable_wireguard = true
+
+  control_planes_custom_config = {
+    secrets-encryption = true,
+  }
+
+  //...
+}
+```
+
+{{< /highlight >}}
+
 #### Inputs

 As input variables, you have the choice to use environment variables or separated `terraform.tfvars` file.
--- a/content/posts/15-a-beautiful-gitops-day-5/index.md
+++ b/content/posts/15-a-beautiful-gitops-day-5/index.md
@ -436,10 +436,6 @@ If you go to `https://grafana.kube.rocks/dashboards`, you should see a many dash
 * Prometheus and Grafana itself stats
 * Flux stats

-{{< alert >}}
-Some other core components like etcd, scheduler, proxy, and controller manager need to have metrics enabled to be scraped. See K3s docs or [this issue](https://github.com/k3s-io/k3s/issues/3619)
-{{< /alert >}}
-
 #### Prometheus

 [![Prometheus](dashboards-prometheus.png)](dashboards-prometheus.png)
@ -498,6 +494,35 @@ You can easily import some additional dashboards by importing them from Grafana

 [![Redis](dashboards-redis.png)](dashboards-redis.png)

+#### Other core components
+
+Some other core components like etcd, scheduler, proxy, and controller manager need to have metrics enabled to be scraped. See K3s docs or [this issue](https://github.com/k3s-io/k3s/issues/3619).
+
+From Terraform Hcloud project, use `control_planes_custom_config` for expose all remaining metrics endpoint:
+
+{{< highlight host="demo-kube-hcloud" file="kube.tf" >}}
+
+```tf
+module "hcloud_kube" {
+  //...
+
+  control_planes_custom_config = {
+    etcd-expose-metrics         = true,
+    kube-scheduler-arg          = "bind-address=0.0.0.0",
+    kube-controller-manager-arg = "bind-address=0.0.0.0",
+    kube-proxy-arg              = "metrics-bind-address=0.0.0.0",
+  }
+
+  //...
+}
+```
+
+{{< /highlight >}}
+
+{{< alert >}}
+As above config applies only at cluster initialization, you may change directly `/etc/rancher/k3s/config.yaml` instead and restart K3s server.
+{{< /alert >}}
+
 ## Logging

 Last but not least, we need to add a logging stack. The most popular one is [Elastic Stack](https://www.elastic.co/elastic-stack), but it's very resource intensive. A more lightweight option is to use [Loki](https://grafana.com/oss/loki/), also part of Grafana Labs.